luxolus/open-nomad
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity
open-nomad/client
History
Michael Schurter 2965dc6a1a
artifact: fix numerous go-getter security issues 
Fix numerous go-getter security issues:

- Add timeouts to http, git, and hg operations to prevent DoS
- Add size limit to http to prevent resource exhaustion
- Disable following symlinks in both artifacts and `job run`
- Stop performing initial HEAD request to avoid file corruption on
  retries and DoS opportunities.

**Approach**

Since Nomad has no ability to differentiate a DoS-via-large-artifact vs
a legitimate workload, all of the new limits are configurable at the
client agent level.

The max size of HTTP downloads is also exposed as a node attribute so
that if some workloads have large artifacts they can specify a high
limit in their jobspecs.

In the future all of this plumbing could be extended to enable/disable
specific getters or artifact downloading entirely on a per-node basis.
2022-05-24 16:29:39 -04:00
..
allocdir test: use T.TempDir to create temporary test directory (#12853) 2022-05-12 11:42:40 -04:00
allochealth Merge branch 'main' into f-1.3-boogie-nights 2022-03-23 09:41:25 +01:00
allocrunner artifact: fix numerous go-getter security issues 2022-05-24 16:29:39 -04:00
allocwatcher test: use T.TempDir to create temporary test directory (#12853) 2022-05-12 11:42:40 -04:00
config artifact: fix numerous go-getter security issues 2022-05-24 16:29:39 -04:00
consul Merge branch 'main' into f-1.3-boogie-nights 2022-03-23 09:41:25 +01:00
devicemanager ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
dynamicplugins fix data race in dynamic plugin registry tests (#12554) 2022-04-14 14:55:56 -04:00
fingerprint build: update ec2 instance profiles 2022-04-21 11:47:40 -05:00
interfaces artifact: fix numerous go-getter security issues 2022-05-24 16:29:39 -04:00
lib test: use T.TempDir to create temporary test directory (#12853) 2022-05-12 11:42:40 -04:00
logmon test: use T.TempDir to create temporary test directory (#12853) 2022-05-12 11:42:40 -04:00
pluginmanager test: use T.TempDir to create temporary test directory (#12853) 2022-05-12 11:42:40 -04:00
servers feat: remove dependency to consul/lib 2022-04-09 13:22:44 +02:00
serviceregistration services: cr followup 2022-04-22 09:14:29 -05:00
state test: use T.TempDir to create temporary test directory (#12853) 2022-05-12 11:42:40 -04:00
stats ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
structs ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
taskenv services: cr followup 2022-04-22 09:14:29 -05:00
testutil client: cgroups v2 code review followup 2022-03-24 13:40:42 -05:00
vaultclient ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
acl.go
acl_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
agent_endpoint.go
agent_endpoint_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
alloc_endpoint.go
alloc_endpoint_test.go client: enable support for cgroups v2 2022-03-23 11:35:27 -05:00
alloc_watcher_e2e_test.go job_hooks: add implicit constraint when using Consul for services. (#12602) 2022-04-20 14:09:13 +02:00
client.go artifact: fix numerous go-getter security issues 2022-05-24 16:29:39 -04:00
client_stats_endpoint.go
client_stats_endpoint_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
client_test.go test: use T.TempDir to create temporary test directory (#12853) 2022-05-12 11:42:40 -04:00
csi_endpoint.go
csi_endpoint_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
driver_manager_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
enterprise_client_oss.go
fingerprint_manager.go
fingerprint_manager_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
fs_endpoint.go
fs_endpoint_test.go raw_exec: make raw exec driver work with cgroups v2 2022-04-04 16:11:38 -05:00
gc.go
gc_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
heartbeatstop.go
heartbeatstop_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
node_updater.go
rpc.go fix: use NewSafeTimer 2022-04-11 19:37:14 +02:00
rpc_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
testing.go client: refactor common service registration objects from Consul. 2022-03-15 09:38:30 +01:00
util.go